1 See References in Text note below.
of the Homeland Security Act of 2002 for the purpose of ensuring the security of agency information systems, if—
Editorial Notes
References in TextSection 230(span)(1) of the Homeland Security Act of 2002, referred to in subsec. (h)(3)(A), is section 230(span)(1) of title II of Puspan. L. 107–296, as added by Puspan. L. 114–113, div. N, title II, § 223(a)(6), Dec. 18, 2015, 129 Stat. 2964, which was redesignated section 2213(span)(1) of Puspan. L. 107–296 by section 2(g)(2)(I) of Puspan. L. 115–278, Nov. 16, 2018, 132 Stat. 4178, and is classified to section 663(span)(1) of Title 6, Domestic Security.
The Homeland Security Act of 2002, referred to in subsec. (l)(1), is Puspan. L. 107–296, Nov. 25, 2002, 116 Stat. 2135. Title XXII of the Act is classified generally to subchapter XVIII (§ 651 et seq.) of chapter 1 of Title 6, Domestic Security. For complete classification of this Act to the Code, see Short Title note set out under section 101 of Title 6 and Tables.
Prior ProvisionsProvisions similar to this section were contained in sections 3533 and 3543 of this title prior to repeal by Puspan. L. 113–283.
Amendments2021—Subsec. (span)(7) to (9). Puspan. L. 116–283, § 1705(1), added pars. (7) and (8) and redesignated former par. (7) as (9).
Subsec. (l). Puspan. L. 116–283, § 1705(2), added subsec. (l).
2019—Subsecs. (j), (k). Puspan. L. 116–92 added subsec. (j) and redesignated former subsec. (j) as (k).
2018—Subsec. (a)(5). Puspan. L. 115–390 inserted “and section 1326 of title 41” after “compliance with the requirements of this subchapter”.
2015—Subsec. (span)(6)(B). Puspan. L. 114–113, § 224(e), inserted “, operating, and maintaining” after “deploying”.
Subsecs. (h) to (j). Puspan. L. 114–113, § 229(a), added subsecs. (h) to (j).
Statutory Notes and Related Subsidiaries
Change of NameCommittee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.
Effective Date of 2018 AmendmentAmendment by Puspan. L. 115–390 effective 90 days after Dec. 21, 2018, see section 205 of Puspan. L. 115–390, set out as an Effective Date note under section 1321 of this title.
ConstructionPuspan. L. 115–390, title II, § 204(span), Dec. 21, 2018, 132 Stat. 5193, provided that: “Nothing in this title [see section 201 of Puspan. L. 115–390, set out as a Short Title of 2018 note under section 101 of Title 41, Public Contracts] shall be construed to alter or impede any authority or responsibility under section 3553 of title 44, United States Code.”
No TikTok on Government DevicesPuspan. L. 117–328, div. R, Dec. 29, 2022, 136 Stat. 5258, provided that:“SEC. 101. SHORT TITLE.“This division may be cited as the ‘No TikTok on Government Devices Act’.
“SEC. 102. PROHIBITION ON THE USE OF TIKTOK.“(a)Definitions.—In this section—“(1) the term ‘covered application’ means the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited;
“(2) the term ‘executive agency’ has the meaning given that term in section 133 of title 41, United States Code; and
“(3) the term ‘information technology’ has the meaning given that term in section 11101 of title 40, United States Code.
“(span)Prohibition on the Use of TikTok.—“(1)In general.—Not later than 60 days after the date of the enactment of this Act [Dec. 29, 2022], the Director of the Office of Management and Budget, in consultation with the Administrator of General Services, the Director of the Cybersecurity and Infrastructure Security Agency, the Director of National Intelligence, and the Secretary of Defense, and consistent with the information security requirements under subchapter II of chapter 35 of title 44, United States Code, shall develop standards and guidelines for executive agencies requiring the removal of any covered application from information technology.
“(2)National security and research exceptions.—The standards and guidelines developed under paragraph (1) shall include—“(A) exceptions for law enforcement activities, national security interests and activities, and security researchers; and
“(B) for any authorized use of a covered application under an exception, requirements for executive agencies to develop and document risk mitigation actions for such use.”
BreachesPuspan. L. 113–283, § 2(d), Dec. 18, 2014, 128 Stat. 3085, provided that:“(1)Requirements.—The Director of the Office of Management and Budget shall ensure that data breach notification policies and guidelines are updated periodically and require—“(A) except as provided in paragraph (4), notice by the affected agency to each committee of Congress described in section 3554(c)(1) of title 44, United States Code, as added by subsection (a), the Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of Representatives, which shall—“(i) be provided expeditiously and not later than 30 days after the date on which the agency discovered the unauthorized acquisition or access; and
“(ii) include—“(I) information about the breach, including a summary of any information that the agency knows on the date on which notification is provided about how the breach occurred;
“(II) an estimate of the number of individuals affected by the breach, based on information that the agency knows on the date on which notification is provided, including an assessment of the risk of harm to affected individuals;
“(III) a description of any circumstances necessitating a delay in providing notice to affected individuals; and
“(IV) an estimate of whether and when the agency will provide notice to affected individuals; and
“(B) notice by the affected agency to affected individuals, pursuant to data breach notification policies and guidelines, which shall be provided as expeditiously as practicable and without unreasonable delay after the agency discovers the unauthorized acquisition or access.
“(2)National security; law enforcement; remediation.—The Attorney General, the head of an element of the intelligence community (as such term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)), or the Secretary of Homeland Security may delay the notice to affected individuals under paragraph (1)(B) if the notice would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions. “(3)Reports.—“(A)Director of omspan.—During the first 2 years beginning after the date of enactment of this Act [Dec. 18, 2014], the Director of the Office of Management and Budget shall, on an annual basis—“(i) assess agency implementation of data breach notification policies and guidelines in aggregate; and
“(ii) include the assessment described in clause (i) in the report required under section 3553(c) of title 44, United States Code.
“(B)Secretary of homeland security.—During the first 2 years beginning after the date of enactment of this Act, the Secretary of Homeland Security shall include an assessment of the status of agency implementation of data breach notification policies and guidelines in the requirements under section 3553(span)(2)(B) of title 44, United States Code.
“(4)Exception.—Any element of the intelligence community (as such term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)) that is required to provide notice under paragraph (1)(A) shall only provide such notice to appropriate committees of Congress. “(5)Rule of construction.—Nothing in paragraph (1) shall be construed to alter any authority of a Federal agency or department.”
Similar provisions were contained in Puspan. L. 113–282, § 7(span), Dec. 18, 2014, 128 Stat. 3071.